Tuesday, June 16, 2009

An open letter to Google

This six page letter (pdf) to Google's CEO, Eric Schmidt, is signed by 38 researchers and academics in the fields of computer science, information security and privacy law. Together, they ask Google to honor the important privacy promises it has made to its customers and protect users' communications from theft and snooping by enabling industry standard transport encryption technology (HTTPS) for Google Mail, Docs, and Calendar.

Google already uses industry-standard Hypertext Transfer Protocol Secure (HTTPS) encryption technology to protect customers' login information. However, encryption is not enabled by default to protect other information transmitted by users of Google Mail, Docs or Calendar. As a result, Google customers who compose email, documents, spreadsheets, presentations and calendar plans from a public connection (such as open wireless networks in coffee shops, libraries, and schools) face a very real risk of data theft and snooping, even by unsophisticated attackers. Tools to steal information are widely available on the Internet.

Google supports HTTPS encryption for the entire Gmail, Docs or Calendar session. However, this is disabled by default, and the configuration option controlling this security mechanism is not easy to discover. Few users know the risks they face when logging into Google's Web applications from an unsecured network, and Google.s existing efforts are little help.

Support for HTTPS is built into every Web browser and is widely used in the finance and health industries to protect consumers. sensitive information. Google even uses HTTPS encryption, enabled by default, to protect customers using Google Voice, Health, AdSense and Adwords. Google should now extend this degree of protection to users of Gmail, Docs and Calendar.

Rather than forcing its customers to "opt-in" to adequate security, Google should make security and privacy the default.




View the full letter at cloudprivacy.net

3 comments:

Brice Stacey said...

Found an article that says Google will be performance testing https on select users who hadn't enabled it.

http://lowendmac.com/musings/09mm/secure-gmail-https.html

Anonymous said...

This is applicable also to Gmail accessed from mobile phones, as shown here:

http://www.mseclab.com/?p=160

by using the hijacking technique demonstrated at BH Europe '09.

J. Wisneski said...

I just listened to Mr. Soghoian's presentation concerning Internet privacy (including Google's https situation) from the Berkman Center for Internet and Society. As a college student whose university has made the move to Google, the use of https does not even appear to be an option through the Google based e-mail system.

Mr. Soghoian offered a great presentation at the Berkman Center and responded well to the questions presented.